Dirk Griesbach <spamt...@freenet.de> a écrit :
Package: gajim
Version: 0.13.3-1
Severity: normal
Hi,
if opening special formed text in a chat window with right click ->
action->wikipedia, or one of the other stuff, the action is not
performed right if the marked text includes e.g. an odd number of " or
other shell-sensitive characters like ' or #. Depending on the String
gajim throws an error message, does open a single tab in the browser for
every space-separated word or does some other weired stuff.
This is because gajim builds the command to open such a action without
sanitizing the input and executes exec_command() from commom/helpers.py
with shell=True. So the underlaying shell gets all the unescaped
characters.
IMHO the best way would be to use subprocess.Popen together with
shlex.split() as mentioned in [1] and shell=False in exec_command() to
solve this issue. Input sanitizing would therefore become no longer
necessary, phrases with spaces would be no problem, the code would be
clean and mean and the world would become a better, a safer place. ;-)
I tried to quick and dirty patch gajim this way, but sadly it had some
side effects on e.g. playing sound or opening the file manager because
of the current way the commands are build, so I dismissed the changes.
(Mostly because of time constraints which prohibited a deeper
investigation.)
Greetings
Dirk
[1] http://docs.python.org/library/subprocess.html
Hi,
First, thanks for the report and the solution, and sorry for the delay.
I'm trying to play with shlex, but I don't see how it can help. If the
string contacins a ", it fails. if it contains a space, it fails:
shlex.split('play sound"file')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.6/shlex.py", line 279, in split
return list(lex)
File "/usr/lib64/python2.6/shlex.py", line 269, in next
token = self.get_token()
File "/usr/lib64/python2.6/shlex.py", line 96, in get_token
raw = self.read_token()
File "/usr/lib64/python2.6/shlex.py", line 172, in read_token
raise ValueError, "No closing quotation"
ValueError: No closing quotation
shlex.split("play sound'file")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.6/shlex.py", line 279, in split
return list(lex)
File "/usr/lib64/python2.6/shlex.py", line 269, in next
token = self.get_token()
File "/usr/lib64/python2.6/shlex.py", line 96, in get_token
raw = self.read_token()
File "/usr/lib64/python2.6/shlex.py", line 172, in read_token
raise ValueError, "No closing quotation"
ValueError: No closing quotation
shlex.split('play sound file')
['play', 'sound', 'file']
So yes we should fix the way we handle urls, but we need a way to
escape those shell-sensitive chars.
Did I missed something?
--
Yann
--
Yann
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
